Containers and security - understanding the new model for software deployment

Containers are revolutionising software deployment, but security must not be an after thought

According to developers, containers are cool - around 26 per cent of companies are already running containers as part of their IT strategies, and the overall market is due to grow at 40 per cent year-on-year to $2.7bn worldwide by 2020, according to 451 Research.

Containers help software and operations teams develop and deploy new applications for the business much more quickly. They simplify the DevOps model by making it easier to build, test and run applications. However, there are some big changes required when you move over to running containers as opposed to more traditional IT.

The accelerated pace of development made possible with containerised applications means they can be put together and deployed without any input from the operations and IT security teams. This can mean that they don't get adequately checked for security flaws and vulnerabilities. Similarly, the process for managing updates and changes to containers is very different to patching and updating machines that run on physical, virtual or cloud instances.

For CISOs and security teams, this means rethinking around how security gets embedded into processes. Container security needs to be agile and automated so it doesn't impede the development process, but it also has to follow the right approaches so that security and compliance can be maintained.

The container security model - a different kind of onion

Everyone in IT should be familiar with the OSI model of computing systems, which consists of seven layers from the physical layer to the application layer. However, containers do not fit exactly with that model. Like an onion, container security consists of multiple layers, each of which has to be considered.

In looking at these layers, there are different issues and risks that can be introduced. Each of these issues pose their own security challenges, and security teams must keep these on their radar as they deploy containers and orchestration tools.

The first potential problem is the presence of unvalidated external software within container images. This covers any software components that have been downloaded from untrusted sources and inserted into container images. This poses a challenge for security teams who must effectively assess and manage the image integrity of containers that have not been checked and managed by the enterprise.

Second, containers may have non-standard configurations and deployment hygiene. In practice, this means including elements within the container images that do not belong. This exposes IT environments to a higher risk of breaches and potential loss of sensitive information as the unnecessary elements don't get updated and fixed over time.

Thirdly, security teams should monitor container-to-container communication, otherwise known as "East-West traffic," via exposed ports. This is an issue as this traffic bypasses regular host-based monitoring options and inhibits security checks for lateral movement and breaches.

Finally, the ephemeral nature of containers can pose a challenge for security teams. Containers are intended to constantly spawn and disappear in keeping with the elastic demand of customer environments, requiring security to be more dynamic than ever before. This can lead to a lack of governance and potentially to unauthorised access.

The process for updating containers is different to standard IT management processes, whether these assets are physical, virtual or based in the cloud. Rather than applying the patch to specific software installations or updating operating systems, each container image will have a set of components included. This image will be rebuilt based on replacing the component, and then put into the library of images to be used in future. This means that the image is brought up to date in the background and then is rolled out to replace all the existing containers. The process is not difficult, but it requires a different set of processes to be applied.

In order to securely embrace the container movement, security teams must be able to do four things well:

• First, they must discover and track container environments across their sprawl and scale. As containers can be brought up and destroyed to meet levels of demand, keeping up with how many images are in place at any point in time is essential.
• Second, they need effective vulnerability management, compliance practices, and container-native intrusion detection/prevention. Traditional tools don't fit into container deployments, so these agents have to be built into the base container images from the start.
• Thirdly, in order to achieve collaboration across security and DevOps teams, organisations must have adaptive security frameworks that integrate into the team's DevOps practices and work as part of the Continuous Integration / Continuous Deployment toolchain. In practice, that means integrating security into any Jenkins or Circle CI instance that is being used to manage that process rather than running as a separate service.
• Lastly, it is also important for organisations to update their operational monitoring and incident response strategies. Software teams will also have to think about their release strategy too, so security processes are considered earlier.

Containers have great potential - more and more organisations are evaluating how they can make use of this new approach to deploying applications at scale. However, security should not be an afterthought for these deployments. By knowing how to manage containers securely, teams across IT can make the most of this new approach to application development and deployment.

Marco Rottigni is chief technical security officer at Qualys

There's no bigger event in the UK IT industry's calendar than the UK IT Industry Awards, brought to you by the BCS and Computing. The UK IT Industry Awards are all about celebrating the achievements of IT professionals from apprentices to CIOs, throughout the industry. Check out the 2018 shortlist and reserve your table for the biggest night of the year